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IMTHE CLAIMS: 

Pending claims follow: 

1 . (Previously Amended) A method for providing content-based 
intrusion detection for a computer system by using an agile kernel-based auditing 
system, comprising: 

receiving an audit specification; 

wherein the audit specification specifies at least one target attribute to be 
recorded from a set of possible target attributes during an auditing process by the 
auditing system; 

wherein the audit specification also specifies at least one auditing criterion 
that triggers recording of the at least one target attribute during the auditing 
process; 

configuring the auditing system to record the at least one target attribute in 
response to detecting the at least one auditing criterion; 

ruiming the auditing system to produce an audit log by recording the at 
least one target attribute in response to detecting the at least one auditing criterion; 
and 

examining the audit log to detect patterns for intrusion detection purposes; 
wherein a size of the audit log is reduced when the auditing system is run 
prior to the examination for detection of the patterns. 

2. (Original) The method of claim 1, further comprising: 
detecting an event during the auditing process; and 
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in response to detecting the event, dynamically adjusting the auditing 
system during the auditing process to change the at least one auditing criterion 
and/or the at least one target attribute for subsequent operation of the auditing 
system. 

3. (Original) The method of claim 1, wherein the auditing system is 
configured to modify a system call jirmp table to cause at least one selected 
system call to execute code that causes the at least one target attribute to be 
recorded in response to detecting the at least one auditing criterion. 

4. (Previously Amended) The method of claim 1, wherein the at least 
one target attribute includes: 

an argument from a system call; 

a parameter of a process making the system call; 

data read during the system call; 

data written during the system call; 

a parameter of a file involved in the system call; and 

a parameter relating to a network communication involved in"the system 

call. 

5. (Previously Amended) The method of claim 1, wherein configuring 
the auditing system to record the at least one target attribute comprises: 

compiling the audit specification to produce a kernel module; 

loading the kernel module into a kernel of an operating system of the 
computer system; and 

linking code from within the kernel module into system calls within the 
operating system. 
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6. (Previously Amended) The method of claim 1 , wherein the at least 
one auditing criterion includes: 

a user identifier for a process that is making a system call; 
an identifier for an application program from which the system call is 
being made; and 

an identifier for a file being accessed by the system call. 

7. (Previously Amended) The method of claim 1 , wherein producing 
the audit log comprises filtering the at least one target attribute to reduce an 
amount of data stored in the audit log. 

8. (Previously Amended) The method of claim I , wherein producing 
the audit log comprises: 

determining at least one characteristic of the at least one target attribute; 

and 

recording the at least one characteristic in the audit log. 

9. (Original) The method of claim 1 , wherein the audit specification 
is received from one of: 

a user of the auditing system; and 
an intrusion detection mechanism. 

10. (Previously Amended) A computer-readable storage medium 
storing instructions that when executed by a computer cause the computer to 
perform a method for providing content-based intrusion detection for a computer 
system by using an agile kernel-based auditing system, the method comprising: 
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receiving an audit specification; 

wherein the audit specification specifies at least one target attribute to be 
recorded fi-om a set of possible target attributes during an auditing process by the 
auditing system; 

wherein the audit specification also specifies at least one auditing criterion 
that triggers recording of the at least one target attribute during the auditing 
process; 

configuring the auditing system to record the at least one target attribute in 
response to detecting the at least one auditing criterion in response to detecting the 
at least one auditing criterion; 

running the auditing system to produce an audit log by recording the at 
least one target attribute; and 

examining the audit log to detect patterns for intrusion detection purposes; 

wherein a size of the audit log is reduced when the auditing system is run 
prior to the examination for detection of the patterns. 

1 1 . (Previously Amended) The computer-readable storage medium of 
claim 10, wherein the method further comprises: 

detecting an event during the auditing process; and 
in response to detecting the event, dynamically adjusting the auditing 
system during the auditing process to change the at least one auditing criterion or 
the at least one target attribute for subsequent operation of the auditing system. 

12. (Original) The computer-readable storage medium of claim 1 0, 
wherein the auditing system is configured to modify a system call jump table to 
cause at least one selected system call to execute code that causes the at least one 
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target attribute to be recorded in response to detecting the at least one auditing 
criterion. 

13. (Previously Amended) The computer-readable storage medium of 
claim 10, wherein the at least one target attribute includes: 
an argument from a system call; 
a parameter of a process making the system call; 
data read during the system call; 
data written during the system call; 
a parameter of a file involved in the system call; and 
a parameter relating to a network communication involved in the system 



14. (Previously Amended) The computer-readable storage medium of 
claim 10, wherein configuring the auditing system to record the at least one target 
attribute comprises: 

compiling the audit specification to produce a kernel module; 

loading the kernel module into a kernel of an operating system of the 
computer system; and 

linking code from within the kemel module into system calls within the 
operating system. 

1 5. (Previously Amended) The computer-readable storage medium of 
claim 10, wherein the at least one auditing criterion €&» includes: 

a user identifier for a process that is making a system call; 
an identifier for an apphcation program from which the system call is 
being made; and 
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an identifier for a file being accessed by the system call. 

1 6. (Previously Amended) The computer-readable storage medium of 
claim 10, wherein producing the audit log comprises filtering the at least one 
target attribute to reduce an aniount of data stored in the audit log. 



claim 10, wherein producing die audit log comprises: 

determining at least one characteristic of the at least one target attribute; 



recording the at least one characteristic in the audit log. 

1 8. (Original) The computer-readable storage medium of claim 10, 
wherein the audit specification is received from one of: 

a user of the auditing system; and 
an intrusion detection mechanism, 

19. (Previously Amended) A apparatus for providing content-based 
intrusion detection for a computer system by using an agile kernel-based auditing 
mechanism, comprising: 

an auditing mechanism that is configured to audit system calls; 

a receiving mechanism that is configured to receive an audit specification; 

wherein the audit specification specifies at least one target attribute to be 
recorded from a set of possible target attributes during an auditing process by the 
auditing mechanism; 
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wherein the audit specification also specifies at least one auditing criterion 
that triggers recording of the at least one target attribute during the auditing 
process; 

an initialization mechanism that configures the auditing mechanism to 
record the at least one target attribute in response to detecting the at least one 
auditing criterion; 

wherein the auditing mechanism is configured to produce an audit log by 
recording the at least one target attribute in response to detecting the at least one 
auditing criterion; and 

an intrusion detection mechanism that is configured to examine the audit 
log to detect patterns for intrusion detection purposes; 

wherein a size of the audit log is reduced when the auditing mechanism is 
run prior to the examination for detection of the pattems. 

20. (Previously Amended) The apparatus of claim 1 9, wherein the 
initialization mechanism is further configured to: 

detect an event during the auditing process; and 

in response to detecting the event* to dynamically adjust the auditing 
mechanism during the auditing process to change the at least one auditing 
criterion or the at least one target attribute for subsequent operation of the auditing 
mechanism. 

21. (Original) The apparatus of claim 19, wherein the auditing 
mechanism is configured to modify a system call jump table to cause at least one 
selected system call to execute code that causes the at least one target attribute to 
be recorded in response to detecting the at least one auditing criterion. 
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22. (Previously Amended) The apparatus of claim 19, wherein the at 
least one target attribute includes: 

an argument from a system call; 

a parameter of a process making the system call; 

data read during the system call; 

data written during the system call; 

a parameter of a file involved in the system call; and 

a parameter relating to a network communication involved in the system 

call. 

23. (Original) The apparatus of claim 19, wherein the auditing 
mechanism is configured to: 

compile the audit specification to produce a kemel module; 

load the kemel module into a kemel of an operating system of the 
computer system; and to 

hnk code from within the kemel module into system calls within the 
operating system. 

24. (Previously Amended) The apparatus of claim 19, wherein the at 
least one auditing criterion includes: 

a user identifier for a process that is making a system call; 
an identifier for an application program from which the system call is 
being made; and 

an identifier for a file being accessed by the system call. 
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25. (Original) The apparatus of claim 19, wherein the auditing 
mechanism is configured to produce the audit log by filtering the at least one 
target attribute to reduce an amount of data stored in the audit log. 

26. (Previously Amended) The apparatus of claim 1 9, wherein the 
auditing mechanism is configured to produce the audit log by operations 
comprising: 

determining at least one characteristic of the at least one target attribute; 

and 

recording the at least one characteristic in the audit log. 

27. (Original) The apparatus of claim 19, wherein the audit 
specification is received firom one of: 

a user of the auditing mechanism; and 
the intrusion detection mechanism. 
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